Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Apr 2002 23:46:02 -0700
From:      "Crist J. Clark" <cjc@FreeBSD.ORG>
To:        Andy Farkas <andyf@speednet.com.au>
Cc:        peter.lai@uconn.edu, "Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz>, security@FreeBSD.ORG
Subject:   Re: hosts.allow and RFC931 - was: sshd warning---a lil' help?
Message-ID:  <20020412234602.B43915@blossom.cjclark.org>
In-Reply-To: <Pine.BSF.4.33.0204122053380.56356-100000@backup.af.speednet.com.au>; from andyf@speednet.com.au on Fri, Apr 12, 2002 at 09:07:10PM %2B1000
References:  <20020409185049.A17491@cowbert.2y.net> <Pine.BSF.4.33.0204122053380.56356-100000@backup.af.speednet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Fri, Apr 12, 2002 at 09:07:10PM +1000, Andy Farkas wrote:
> On Tue, 9 Apr 2002, Peter C. Lai wrote:
> 
> > a is true. the message is coming from hosts.allow, which checks for rdns as
> > a (weak) signal of spoofed packets.  You can deny these connections by
> > by turning on:
> >
> > ALL : PARANOID : RFC931 20 : deny
> > # Provide some protection against clients using a forged source IP address
> >
> 
> Question: the above rule in the default /etc/hosts.allow file is *above*
> the rules regarding sshd - does this mean that sshd is not protected
> against forged source IP adresses?

The original statement is misleading. There pretty much no way to
protect against forged IP addresses, IP is unauthenticated. All
PARANOID does is,

       PARANOID
              Matches any host whose  name  does  not  match  its
              address.

It looks up the host name from the address, then looks up the address
associated with the host name, and makes sure the addresses match. It
looks for people playing DNS games. It's only really useful if you are
restricting access by host name.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020412234602.B43915>